Vulnerability in Windows HTTP library enables denial of service

The vulnerability concerns Windows IIS server software, but also all software using the HTTP.sys library, such as popular DLNA file sharing services if they are open towards the internet.

Utilisation methods published on the internet enable a denial of service in Windows operating systems using the HTTP.sys library. According to the NCSC-FI's knowledge, the denial of service has been confirmed in practice, although several researchers have reported that the vulnerability cannot be exploited.

In addition to IIS server software, the HTTP.sys library is used, at least, in Windows DLNA file sharing services, often used by consumers, and in some remote user interfaces. The exploitation of the vulnerability requires that the service is accessible from the internet.

According to Microsoft's bulletin, the vulnerability also enables the execution of arbitrary commands. For the time being, there are no detections of ready-made methods for utilising the vulnerability on the internet.

For the time being, the NCSC-FI has not detected attempts to utilise the vulnerability.

The NCSC-FI recommends that Windows operating systems connected to a network are updated immediately, before the exploitation of the vulnerability becomes more common.

Target group of the alert

The vulnerable library can be found in the operating systems Windows Server 2008, Windows Server 2012, Windows 7 and Windows 8.x.

The vulnerability requires that the operating system has a service that is open towards the internet and that utilises the HTTP.sys library, such as an IIS server software or a DLNA file sharing service.

Possible solutions and restrictive measures

If it is not possible to install the updates immediately, Microsoft's bulletin also mentions that the problem can be possibly restricted by disabling IIS kernel caching. However, this is not helpful e.g. in a DLNA service.